Single Sign On (SSO) between Wordpress and CakePHP


Staff member
I have an existing Wordpress site. The plan is to rebuild the site using the cakePHP framework. Due to time restrictions, I want to replace individual sections of the Wordpress site one at a time. This will mean that both apps will be running side by side for a certain period of time. I need to control access to the cakePHP app using the authorization provided by Wordpress. I'm not sure the best way to go about doing this. I've seen similar questions asked a lot, but I have not yet found a clear solution.

I'm thinking about two approaches:

<strong>Plan A:</strong>

<li>Configure Cake to look for Wordpress's authorization cookies.</li>
<li>configure Cake to look at Wordpress's database.</li>
<li>Borrow some of Wordpress's authorization logic to teach Cake's Auth component how to authenticate WP users.</li>

<strong>Plan B:</strong>

<li>set up an authorization API on my Wordpress site.</li>
<li>set up separate auth component in cake.</li>
<li>ping the WP endpoint when a user hits a protected page in the cake app and then manually log in the user. (This would create a second set of auth cookies)</li>

Do either of these sound like the right approach? Is there a better way to do this?

Helpful references: <a href="" rel="nofollow noreferrer">Article about Cake session handling</a>, <a href="" rel="nofollow noreferrer">Cake Auth component documentation</a>, <a href="" rel="nofollow noreferrer">Cake Auth tutorial</a>, <a href="" rel="nofollow noreferrer">brief overview of WP authorization</a>, <a href="" rel="nofollow noreferrer">a more in depth look at wordpress authorization</a>

We've started working on this, and it seems like it will work, but there is a very tricky aspect involving password hashing that warrants <a href="">its own question</a>. If you're following this thread, you may want to have a look.